A Generalized Kahn Principle for Abstract 
Asynchronous Networks 



Samson Abramsky 

Department of Computing 
Imperial College of Science, Technology and Medicine 
180 Queen's Gate 
London SW7 2BZ 
England 

Published in the Proceedings of the Symposium on 
Mathematical Foundations of Programming Language Semantics, 
Springer Lecture Notes in Computer Science 442, pp. 1-21 

November 3, 1989 
Abstract 

Our general motivation is to answer the question: "What is a model 
of concurrent computation?". As a preliminary exercise, we study 
dataflow networks. We develop a very general notion of model for 
asynchronous networks. The "Kahn Principle" , which states that a 
network built from functional nodes is the least fixpoint of a system 
of equations associated with the network, has become a benchmark 
for the formal study of dataflow networks. We formulate a gener- 
alized version of the Kahn Principle, which applies to a large class of 
non-deterministic systems, in the setting of abstract asynchronous net- 
works; and prove that the Kahn Principle holds under certain natural 
assumptions on the model. We also show that a class of models, which 



represent networks that compute over arbitrary event structures, gen- 
eralizing dataflow networks which compute over streams, satisfy these 
assumptions. 

1 Introduction 

There are by now a proliferation of mathematical structures which have been 
proposed to model concurrent systems. These include synchronization trees 
|Win85| . event structures |Win86] . Petri nets |Rei85j . failure sets |Hoa85j . 
trace monoids |Maz89j . pomsets |Pra82j and many others. One is then led 
to ask: what general structural conditions should a model of concurrency 
satisfy? There is an obvious analogy with the A-calculus, where a consensus 
on the appropriate notions of model only emerged some time after a number 
of particular model constructions had been discovered (cf. |Bar84j ) . Indeed, 
we would like to pose the question: 

"What is a model of concurrent computation?" 

in the same spirit as the title of Meyer's excellent paper |Mey82| . 

One important disanalogy with the A-calculus is that the field of con- 
current computation so far lacks a canonical syntax; and at a deeper level, 
there is as yet no analogue of Church's thesis for concurrent computation. 
The various formalisms which have been proposed actually draw inspira- 
tion from a highly varied phenomenology: synchronous, asynchronous, real- 
time, dataflow, shared-memory, declarative, object-oriented, systolic, SIMD, 
neural nets, etc. etc. In these circumstances, some more modest and cir- 
cumscribed attempts at synthesis seem justified. At the same time, merely 
finding general definitions which subsume a number of concrete models is 
not enough; good definitions should show their cutting edge by yielding some 
non-trivial results. 

In the present study, we start from a particular class of concurrent sys- 
tems, the non-deterministic dataflow networks [Par82] . A problem which 
has established itself as a benchmark for the formal study of such systems is 
the Kahn Principle [Kah74j . which states that if a network is composed of 
functional nodes, its behaviour is captured by the least fixpoint of a system 
of equations associated with the network in a natural way. 

We attempt to formulate a notion of model for such networks in the most 
general and abstract form which still allows us to prove the Kahn Principle. 
In this way, we hope both to shed light on the initial motivating question of 
the axiomatics of process semantics, and to expose the essence of the Kahn 
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Principle. In the course of doing so, we shall attain a level of generality, 
both as regards the notion of asynchronous network we consider, and the 
statement of the Kahn Principle, far in excess of anything we have seen in 
the literature. 

The structure of the remainder of the paper is as follows. In section 2, 
we review some background on domain theory and dataflow networks. Then 
in section 3 we introduce our general notion of model, state a generalized 
version of the Kahn Principle, and prove that certain conditions on models 
are sufficient to imply the Kahn Principle. As far as I know, these are the 
first results of this form, as opposed to proofs of the Kahn Principle for 
specific models. Some directions for further research are given in section 4. 

2 Background 

We begin with a review of some notions in Domain theory; see e.g. |GS89| 
for further information and motivation. 

We write Fin(X) for the set of finite subsets of a set X; and A Cl^ X for 
the assertion that A is a finite subset of X. A poset is a structure (P, 
where P is a set, and ^ a refiexive, transitive, anti-symmetric relation on P. 
Let (P, ^) be a poset. We write |x = {y G P | y ^ x}, "[x = {y G P \ y x} 
for xeP; and iX = \J^^^ ix, = fl^g^ t^; for X C P. A subset S CP 
is directed if every finite subset of S has an upper bound in S. A poset is 
directed-complete if every directed subset S has a least upper bound, written 
y 5. A cpo (complete partial order) is a directed-complete poset with a least 
element, written _L. An element 6 G D of a cpo E) is compact if whenever 
S C D is directed, and 6 E U "S*, then b Q d ioi some d G S. We write K{D) 
for the set of compact elements of D, and K{d) = XdD K{D) for d G D. A 
cpo D is algebraic if for all d G D, K(d) is directed, and d = \_\K{d); and 
w-algebraic if in addition K{D) is countable. An ideal over a poset P is a 
directed subset I C P such that x ^ y € I =^ x & I. The ideal completion 
of a poset P is the set of ideals over P, ordered by inclusion. If P has a 
least element, this is an algebraic cpo; it is w-algebraic if P is countable. 

A map f : D ^ E oi cpo's is continuous if for every directed subset 
S CD, /(□ S) =l\ f{S); and strict if f{±D) = -Le- A subset U C D of a 
cpo D is Scott-open if [/ = '[U, and whenever |J 5 G C/ for a directed subset 
S C D, then S CiU ^ 0. The Scott-open subsets form a topology on D; 
a function between cpo's is continuous as defined above iff it is continuous 
in the topological sense with respect to the Scott topology. The Scott-open 
subsets of an algebraic cpo D are those of the form IJiG/ t^i; where bi G K{D) 
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for all i ^ I. 

We define some standard constructions on cpo's. Given a set X, the 
algebraic cpo of streams over X, Str(X), is the set of finite and infinite 
sequences over X, with the prefix ordering. If D, E are cpo's, \D — >■ E] is 
the cpo of continuous functions from D to E, with the pointwise ordering; if 
{Di}i^i is a family of cpo's, Y\i^i^i cartesian product cpo, with the 

componentwise ordering. If / : Z? — > D is a continuous map on a cpo it 
has a least fixed point, defined by 

ifp(/) = U /'(^)- 

kdu) 

We shall assume some small knowledge of category theory in the sequel; 
suitable references are [ML7H IAM75) . We write Cpo for the category of 
cpo's and continuous maps, Cpo* for the subcategory of strict continuous 
maps; and wAlg, a;Alg* for the corresponding categories of tj-algebraic 
cpo's. 

We define the weak covering relation on a poset (P, ^) by: 

X ^ y <^=4> X ^ y &i Vz. {x ^ z ^ y =^ {x = z or y = z)) 
and the covering relation by 

dcf . „ , 

X ~< y <^=^ X < y 6Z X y. 

The computational intuition behind the covering relation as used in Domain 
theory is that it represents an atomic computation step, or the occurrence 
of an atomic event; this idea can be traced back to |KP78] . 

A covering sequence in an algebraic cpo D is a non-empty finite or infinite 
sequence of compact elements such that bo = ±, and 6„ -< b^+i for all 
terms bn, fen+i in the sequence. A covering sequence can be taken as a 
representation of d = |J 6„, which gives a step-by-step description of how it 
was computed. 

Given an algebraic cpo D, we can form the algebraic cpo C{D) of covering 
sequences over D, with the prefix ordering. There is a continuous map 

^l■.C{D)^D, with ^l{ibn))= Ubn. 

Finally, we define the relative covering relation in D by: 

[b,c]Qd 44 6, c G K{d) kb<c. 

We can think of 6 ^ c as an atomic step at some finite stage in the compu- 
tation of d. 
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A prime event structure |Win86j is a structure £ = {E, ^,Con), where 
{E, ^) is a countable poset, and Con C f\n{E) a family of finite subsets of 
E, satisfying: 

• \/e £ E. (4e is finite). 

• ye£ E. ({e} G Con). 

• AC B £ Con ^ Ae Con. 

• A e Con ^ lAe Con. 

We refer to elements of E as events, to ^ as the causality or enabling 
relation, and to Con as the consistency predicate. A conEguration of is a 
set X ^ E such that 

• e^e'Sx =^ eGx 

• ^4 Cf X => A G Con. 

The set \8\ of configurations of 8, ordered by inclusion, is an algebraic 
cpo; the compact elements are the finite configurations. Note that in l^"!, 
X < y y\x = {e} for some e & E; and that if x C y for compact elements 
X, y, there is a sequence ei,...,en such that x = zq ^ • • • ^ Zn = y, 
where Zi = x L) {ei, . . . ,ej}. The algebraic cpo's which arise from prime 
event structures are characterized in |Win86j : we refer to them as event 
domains. They form quite an extensive class, containing models of type-free 
and polymorphic lambda calculi (using stable functions), as well as the usual 
datatypes of functional programming |CGW87] . 

We now turn to the dataflow model of concurrent computation. Consider 
a process network, represented by a directed (multi)graph G = {N,A,s,t), 
where is the set of nodes, A the set of arcs, and s,t : A ^ N are the source 
and target functions. Each node is labelled with a sequential process, while 
each arc corresponds to a buffered message channel, which behaves like an 
unbounded FIFO queue. In addition to the usual sequential constructs, each 
node n can read from its input channels (those a with t{a) = n), and write 
to its output channels (those a with s(a) = n). Although this computational 
model might be criticised as unrealistic because of the unbounded buffering, 
this very feature enables a high degree of parallelism, and the model is 
appealingly simple, and quite close to a number of actually proposed and 
implemented dataflow languages and architectures |WA851 IKLP791 IKM771 
IGGKW84] . Kahn's brilliant insight in his seminal paper |Kah74| was that 
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the behaviour of such networks could be captured denotationally m a very 
simple and elegant fashion, using some elementary domain theory. The 
key idea is to model the behaviour of each message channel a, on which 
atomic values from the set can be transmitted, as a stream from the 
domain S\.r{Da). Using standard denotational techniques, the behaviour of 
the process at node n, with input channels ai, . . . , a^, and output channnels 
Pi, . . . , f3i, can be modelled by a continuous function 

/ : Str(D„J X • • • X Str{Da,) Str(D^J x • • • x Str(L'^J. 

The behaviour of the whole system can be modelled by setting up a system 
of equations, one for each channel in the network, of the overall form 

X = G(X), 

where G : Ho Str(Z)a) — > Yl^ Str{Da); and solving by taking the least fixed 
point Ifp(G) GnaStr(D,). 

It is worth noting that Kahn never proved the coincidence of this de- 
notational semantics with an operational semantics based directly on the 
computational model sketched above; indeed, he never defined any formal 
operational semantics for dataflow networks. Nevertheless, no-one has ever 
seriously doubted the accuracy of his semantics. A number of subsequent 
attempts have been made to fill this gap in the theory |Fau82l ILS88| ; it has 
proved surprisingly difficult to give a clean and elegant account. 

In another direction, many attempts have been made to overcome one 
crucial limitation built into Kahn's framework; namely, the assumption that 
all processes in the network are deterministic, and hence their behaviour 
can be described by functions. This limitation must be overcome in order 
for these networks to be sufficiently expressive to model general-purpose 
concurrent systems (see e.g. |Hen821 lAbrMj l. However, as soon as non- 
deterministic processes are allowed, the denotational description of dataflow 
networks becomes much more complicated. In fact, naive attempts to ex- 
tend Kahn's model have been shown to be doomed to failure by certain 
"anomalies" which were found by Keller |Kel78] and Brock and Ackerman 
[BA81] . In particular. Brock and Ackerman exhibited a pair of deterministic 
processes A'^i, with the same Kahn semantics, and a non-deterministic 
context C[-] such that C[A^i] ^ C[N2] with respect to the intended opera- 
tional semantics. The main point of this is to show that in the presence of 
non-determinism, the behaviour of a system is no longer adequately mod- 
elled by a "history tuple" d G J|^Str(Z)a). Such a tuple records the order 
in which values are realized on each channel, but fails to record causality 
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relations which may exist between items of data on different channels. A 
number of more detailed models have been proposed which reflect this kind 
of information. Two in particular have received some attention. 

Definition 2.1 Let S be a set of channel names, where for each a E S, 

there is a set D^, of atomic data which can be transmitted over a. The 
domain of linear traces over S, Urs, is the stream domain Str{Es), where 

Es = {(a, d) \ a e S,d e Da}. 

The idea is that a linear trace represents a sequential observer's view of a 
computation in the network, as a sequence of atomic events (a, d) — namely, 
the production of the atomic value d on the channel a. We can regard 
linear traces as more detailed — perhaps even over-specified — representations 
of history tuples; indeed, there is an obvious "result" or "output" map 
jis '■ LTr5 YlaGS ^^■'(Dq). It is a useful exercise to verify that this is strict 
and continuous. 

Given S ^ T, we can define a (strict, continuous) restriction map, pj^ : 
LTr^ — ^ LTry, where (s) is obtained by deleting all (a, d) from s such that 

In the linear trace model, a process is modelled by a pair (S, P), where 
S is the set of channels incident to the process, and P C LTr^ describes 
its (possibly non-deterministic) behaviour. The key definition is that of the 
operation of nefcworic composition, which glues together a family of processes 
along their coincident channels. Let {{Sj, Pj)}j^j be a family of processes; 
we define {Sj,Pj) = {S,P), where 

P = {seLTrs\yjGJ.{pl.{s)€Pj)}. 

Note that this definition of the behaviour of a net is quite different in 
form to the Kahn semantics; we have replaced continuous functions by sets 
of traces, and the iterative construction of a least fixed point by a product- 
like construction. It thus becomes a matter of some importance to see if this 
definition actually coincides with the Kahn semantics in the case when each 
node in the network is in fact computing some continuous function. (Of 
course, we must firstly define what that means in terms of sets of traces). 
We refer to this task as the proof of the Kalm Principle for the linear trace 
model. 
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The linear trace model has recently been proved to be fully abstract in a 
certain sense |Jon89j : however, some other models have also received consid- 
erable attention, and avoid the apparent over-specification of linear traces. 
In particular there are the pomset models |Pra82j . which were inspired by 
Brock and Ackerman's scenarios |BA81j . The idea is to allow partial orders 
of events, rather than insisting on purely sequential observations. 

Definition 2.2 The domain of partially ordered traces PTrg is the ideal 
completion of the finite partially -ordered traces with the prefix ordering, 
where: 

• A finite partially- ordered trace is an isomorphism type of finite labelled 
partial orders {V, where i : V Es, and for each a (z S, the 
subposet 

{vGV\3d£ Da{i{v) = {a,d))} 

is linearly ordered. 

• The prefix ordering is defined on representatives by: 

kv!^' v' £V =^ V £V. 

Note that, if we identify sequences with isomorphism types of labelled linear 
orders, we have the inclusion LTr^ C PTr^. Once again, there is an evident 
definition of a restriction map pj, : PTrg — )• PTr-r for S ^ T, and, by virtue 
of the stipulation that events at each channel are linearly ordered, a map 

Atcj: PTrs^riagsStK^a). 

We can then define the notion of network composition in the partially 
ordered trace model in exactly the same way as we did for the linear traces, 
modulo the different notions of "trace" and "restriction"; and formulate 
the Kahn Principle in exactly the same terms. The main previous work 
on proving the Kahn Principle for (essentially) the partially ordered trace 
model is described in [GP87| . 

Our aim is firstly to extract the essential properties of this situation to 
arrive at a general notion of model, and then to prove the Kahn principle in 
this general setting. Apart from yielding the particular results for the linear 
and partially-ordered trace models for dataflow networks as instances of our 
general result, there are a number of other insights that we hope this work 
provides: 
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• The abstract networks we consider compute over a much broader class 
of domains than just the stream domains of dataflow — our results ap- 
ply at least to the event domains. 

• The version of the Kahn Principle we formulate and prove in fact 
applies not only to the deterministic case, but to a broad class of non- 
deterministic networks — namely those in which each node computes 
one of a set of possible continuous functions. This includes for example 
the so-called "infinity-fair merge", though not the "angelic merge" 
[PS88) . As far as I know, this major extension to the Kahn Principle 
is new, even for the specific models described above. 

• Although our notion of model is abstracted from the dataflow fam- 
ily, and cannot be claimed to be fully general, we hope it is a useful 
step along the way to answering the question raised in the opening 
paragraph, namely: "what is a model of concurrent computation?" . 



3 Results 
3.1 Models 

We assume a class Chan of channel names, ranged over by a, /?, 7. We refer 
to sets of channels as sorts; the class of sorts, partially ordered by inclusion, 
is denoted by Sort. We use S, T, U to range over sorts. 

Definition 3.1 A model M = (T, V, /i) comprises: 

• functors T, V : Sort°P ^ Cpo'* 

• a natural transformation fj, : T ^ V 

such that V preserves limits. 

We refer to Ts as the traces of sort S, Vs as the values of sort 5, and n 
as the output or evaluation map. 

More explicitly, T assigns to each sort S a cpo Ts, and to each 5 3 T a 
strict, continuous restriction map Pq^ Ts ^ Tt, such that: 

• Ps = idrs- 
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Similarly, V assigns a cpo Vs to each sort S. The requirement that V 
preserves limits amounts to asking that V takes unions in Sort to products 
in Cpo'^. Since each sort is the union of its singletons, this means that if Va 
is the value domain of sort {a}, 

Vs = n 

and that the restriction maps will be the projections onto sub-products: for 
S D T, TTj, : Vs ^ Vt- Thus V is completely determined by the Vq. 

Finally, for each sort S there is a strict, continuous map fJ-s ■ Ts Vs, 
such that for all S ^T, 

s s 

fij- O prp = TTrp O PS- 

Notation. We write Vj' = fXT o pj, = -Kj, o ps- 
Examples 

(1) . Firstly, from the discussion in the previous Section, it is easy to see 
that both linear and partially-ordered traces yield examples of models. More 
precisely, for each channel a fix a set Da of atomic values; then define Va = 
Str{Da), and Ts = PTr^ (LTr^), pj,, ps as in Section 2. The verification of 
the required functoriality and naturality conditions is straightforward. 

(2) . We now describe a general class of models. For each channel a, fix 
an event structure £a = (-Ea, Coria). Define Va = \Sa\, the domain 
of configurations over £a- For a sort S, we define £s = HaGS^a' where 
the product of event structures is defined as their disjoint union |Win86J : 
£s = (Es, ^5, Cons), where 

{(a, e) I a G S, e G Ea} 
a = j3 k. e ^a e' 

Va G S. ({e I (a, e) G A} G CoHa). 

We have |Win8fij : \£s\ = Oaes I^qI' and we shah take Vs = \£s\- For 
S ^ T, the projections 7r|! : \£s\ — )• \£t\ are defined by 7r|!(x) = x fl Et- 
In order to define the traces over £s, we follow the idea that 

traces = data -|- causality. 

Thus a trace is a configuration together with extra information about 
the order in which data was actually produced in a particular computation, 
reflecting some causal constraints. 



Es 

(a,e) <s (/3,e') 
A G Cons 



def 
def 
def 
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Definition 3.2 A trace over an event structure £ = {E,^,Con) is a pair 
t = {xt, ^t), where xt G \S\, and is a partial order on xt such that: 

• Ve G Xt. {{e' € I e' e} is finite) 

• (^nxf) C 

Traces are partially ordered as follows: 

t^t' Xt C Xf & = ^t' n .Tj & (e ^t' e' e Xt ^ e G xt). 

Clearly, traces with this ordering form an algebraic cpo P^^. A trace t 
is linear if is a linear order; the linear traces also form an algebraic cpo, 
L,£, and h£ C F£. The compact elements of ¥£ are those t for which Xt is 

a finite configuration of \£\. Also, t ^ n in ¥£ iff Xu\xt = {e} for some e 
which is maximal in The following construction on trace domains will 
be useful. Given t G F£, and X C xt, we define t\X by: 

a^^tfx = {e G I 3e' G X. e ^t e'} 

^trx = r\{xt\x)^. 

Clearly is a well-defined trace, and t\X ^ t; moreover, X C Y =^ 
t\x nt\Y. This construction can also be applied to L,£. 

We can now complete the definitions for our two families of models, A4f 
(partially ordered traces over event structures) and A4h (the sub-model of 
linearly ordered traces). The trace domains for Aip are defined by = F£s, 
and for Mjl by Ts = ^£s- The evaluation maps are defined for both by 

l^s{t) = Xt, 

and the restriction maps by 

pUt) = ixtnET,^tnE^), 

for SDT. 

The verification that these definitions yield models is straightforward. 
Note that A4p and A^l are really families of models, parameterized by the 
choice of event structures £a for each a. Our results will apply to all models 
in these families. 

We now show how the concrete datafiow models of (1) are special cases 
of Mp and Mj,. Fix a set Dq, for each channel a, and define an event 
structure £a as follows: 
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• Ea = {{s, sd)\se D* , d e Da}. 

• {s, sd) («', s'd') 44 C s'd'. 

• ^ G Con 44 V(s, sd), {s', s'd') e A.{sd C s'd' or s'd' C sd). 
It can easily be verified that \£a\ = Str(Da)- Also, we have 

Proposition 3.3 For all sorts S, 

PTrcj ^ F£s 
LTrs ^ hSs. 

Proof. Given t G K{F£s), we define a labelled poset {xt, ^t,^), where 

£{{a, {s, sd))) = {a,d). 

This defines a map : K{F£s) K{PJrs)- (Note that the condition 
(^5 riXf) is needed to ensure that a-evcnts arc linearly ordered in 

(p{t) for each a G S). Now consider a trace in K{PJrs) with representative 
labelled poset (y,^,i). For each v E V, let i{v) = {a,d). The set of 
a-labelled predecessors of v is linearly ordered, say 

Vi < ■ ■ ■ < Vn < V, 

and hence yields a finite sequence s = di - ■ ■ dn & K(Str{Da)), where di = 
snd o £{vi), i = 1, . . . ,n. We can thus define a new labelhng function I', 
which maps v to {a,{s,sd)) G Es- Note that £' is injective, and hence 
we can dispense with V, and take the induced order on i'{V): i'{v) ^' 

i'{v') 44 V ^ w', yielding a trace in F£s- Thus we obtain a 

map V' : -^^^(PTrs) — )• K(Pf5'). It is easily checked that (p and are monotone 
and mutually inverse, yielding an order-isomorphism K{F£s) = K{PTrs), 
and hence by algebraicity, F£s = PTr^. Finally, (p, ip cut down to an 
isomorphism K{h£s) = i^(LTr5), and so ]L£s = ITrs- I 

One further connection will be useful: the linear traces over an event 
structure are isomorphic to the covering sequences over its domain of con- 
figurations. 

Proposition 3.4 For any event structure £, = 
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Proof. Prom our description of covering relations in event domains, it fol- 
lows that any covering sequence in has the form 

xo -<;••• Xn -<;•• • 

where xq = 0, Xn+i \ x„ = {e„} for some e ^ E. We can then define the 
linear trace t with xt = |J x„, Cn n ^ m. Conversely, any linear 

trace must, by countability of E and the well-foundedness property of traces, 
amount to a (finite or infinite) sequence (e„), from which wc can define a 
covering sequence (x„), where x„ = {ej \ j ^ n}. The fact that each x„ € \£\ 
follows from the conditions on traces. These passages between h£ and C{£) 
are easily checked to be monotone and mutually inverse, establishing the 
required isomorphism. I 

Por the remainder of this section, we fix a model M. = (T, V, fi). 

Definition 3.5 A process in M is a pair {S,P), where P ^ Ts- Let 
{{Sj, Pj)}j,zj be a family of processes. The network composition of this 
family is defined by: 

||,-6J iSj,Pj) = {S,P), 

where 

P = {iGTslVjG J.(p|(t)GP;)}. 

This definition was predictable from our discussion of concrete dataflow 
models in the previous section. The next definition is a key one, which 
answers the question of how to characterize when a process, qua set of traces, 
is computing a function. In fact, we deal with the more general situation 
when a process is computing any one (non-deterministically chosen) from a 
set of functions. 

Definition 3.6 Let {S, P) be a process, with S = lUO, and let F C [Vi ^ 
Vo] be a set of continuous functions. We say that {S,P) computes F if for 
all t G Ts: 

teP ^ 3feF: 

(1) 4{t) = f{uf{t)) 

(2) [u,v]^t => iy^{v)^f{uf{u)). 
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Condition (1) in this definition is the obvious stipulation that the overall 
effect of the trace is to compute an input-output pair in the graph of one of 
the functions / € -F. Condition (2) is more subtle; it insists that the way this 
input-output pair is computed must be "causally consistent", in the sense 
that for any step u ^ v towards computing t, the output values realized 
after the step — at v — are no more than what was justified as / applied to 
the input values available before the step — at 

As regards the generality conferred by the use of sets of functions, con- 
sider the following example from dataflow jPar82j : the deterministic merge 
function 

dmerge : Str{X) x Str{X) x Str({0, 1}) ^ Str(X) 
which uses an oracle to guide its choices. This satisfies the equations: 

dmerge(a : x,y,0 : o) = a : dmerge(x, y, o) 
dmerge(x, 6 : y, 1 : o) = 6 : dmerge(x, y, o). 

Now for any set of oracles O we can define: 

F = {Ax, y.dmerge(x, y,o) [ o G O}. 

If we take O to be the set of fair oracles, i.e. infinite binary sequences con- 
taining infinitely many zeroes and infinitely many ones, then F corresponds 
to the "infinity- fair merge" |PS88j : however, note that the "angelic merge" 
cannot be obtained in this way. 

Now let {{Sj, Pj)}j,zj be a family of processes, with {S, P) =||jgj {Sj, Pj). 
We say that {{Sj, Pj)}j^j is a non-deterministic functional network if the 
following conditions hold: 

1. For all j G J, Sj = Ij U Oj and {Sj,Pj) computes Fj C [V/^, VoJ- 

2. For all a G S*, there is exactly one j (z J with a G Oj. 

If Fj is a singleton for all j G J, we say that the network is deterministic. 

Condition (2) is worth some comment. The constraint that each channel 
has at most one producer precludes non-determinism by "short circuit" . The 
requirement that there be exactly one producer is a technical convenience; 
it means that we can avoid considering input channels — i.e. those with no 

These conditions were directly inspired by Misra's "limit" and "smoothness" condi- 
tions in his notion of descriptions [Mis89) : his definition was made in the specific setting 
of the linear trace domain LTrg, and in a rather different context. 
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producer in the system — separately. Of course, we can still handle input 
channels, in a "pointwise" fashion; for each given input value, we add a 
process which behaves like the constant function producing that value on 
the channel. Indeed, in our approach this is immediately generalized to 
allow a set of values to be produced. 

Now we generalize the Kahn semantics for dataflow in the obvious way. 
For each / G Hjej we define G/ : V5 — >■ V5 by: 

Gf = (vTa' o/jOvrg)«65,„go,. 
By virtue of condition (2) on the network, there is exactly one component 

of the tuple defining Gf for each a G S. 

We say that the network satisfies the Generalized Kahn Principle if the 

following condition holds: 

(GKP) f,s{P) = mGf)\fel[F,}. 

We say that Jv[ satisfies the Generalized Kahn Principle if (GKP) holds for 
every non-deterministic functional network in M.. We say that M. satisfies 
the (ordinary) Kahn Principle if (GKP) holds for every deterministic func- 
tional network. Note that in this case, Hje j ^ singleton, and hence so 
is the right-hand side of (GKP). 

Our main objective will be to give sufficient conditions on M. to en- 
sure that (GKP) holds. (GKP) states an equality between two sets; it is 
convenient to consider the two inclusions separately. Firstly, we have 

(GKP,) ^,s{P)<^mGf)\fe\{F^}. 

This is a safety property, since it asserts that every behaviour of the network 
computes one of the values specified by the (generalized) Kahn semantics. 
The converse: 

(GKP,) {MGf)\fellFj}Cf^siP) 

jeJ 

is a liveness property, since it asserts that every specified value is realized 
by some computation. 
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3.2 Safety 



Definition 3.7 An u-algebraic cpo is incremental if whenever b ^ c in 
K{D), there is a finite covering sequence 

b = bo ^ ■ ■ ■ ^ bn = c. 

A strict, continuous function f : D ^ E on incremental domains is an 
incremental morphism if: 

• / weakly preserves relative covers: 

[b,c] Qd ^ [/(6),/(c)] C fid) orfib) = f{c) G K{d). 

• / lifts relative covers: 

[b\ c'] □ = f{d) 3b, c.([6, c]rdk fib) = 6', /(c) = c'). 

Incremental domains and morphisms form a category IncDom. We 
say that a functor F : C Cpo* is incremental if it factors through the 
inclusion IncDom ^ Cpo**, and that a model Ai = (T, V, fi) is incremental 
if r is. 

Note that all event domains, and all ideal completions of countable posets 
satisfying both the ascending and descending chain conditions, are incremen- 
tal. The reason for our terminology is that incremental domains are pre- 
cisely the specialization to posets of the incremental categories introduced 
in pJHH]. 

Proposition 3.8 A^p and A^l cli^s incremental. 

Proof. We have already observed that the domains ¥£s, are incre- 
mental. The fact the restriction maps weakly preserve relative covers fol- 
lows easily from the definitions. We must verify the lifting property. We 
give the argument for Aif only. Suppose then that 5 5 T, [n',v'] !^ t' in 
¥£t, and (t) = t'. We define v = t \ x^'. Since Xy' C Xf C xt, this is 
well-defined, and yields v t. Let w = (f). S 

For the converse, suppose e € x^. This implies that e € Et, and that for 
some e' € x„', e e'. But this implies e ^t' s'-, since Pj^{t) = t', and hence 
e G Xy', since v' Q t' and e' G Xyi. Thus Xw = Xyi. The same reasoning 
shows that ^u;=^t,', and so w = v' . 

To define u, recall that u' -< v' iff x^t \ Xu' = {e} for some e G Et 
which is maximal in But then e must also be maximal with respect 
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to since otherwise we would have e <^ e' G x^i, which would imply 
e <„' e', contradicting <t,/-maximality of e. Thus if we define x„ = x^, \ {e}, 
^u=^?; we see that v \ Xu = ^u)- Clearly u <v\ and \iw = pj'{u), 

Xy, = Xur\ET = (x„ \ {e}) DEt = (xy Ci Et) \ {e} = x^i \ {e} = Xu'- 

Similarly ^■w=^u'^ yielding pj,{u) = u' , and the proof is complete. I 
Our main objective in the remainder of this subsection is to prove: 

Theorem 3.9 If M. is incremental, it satisfies (GKPg). 

Our strategy is to use incrementality of the restriction maps to move between 

local conditions expressing the functional behaviour of the nodes and global 
conditions expressing the functional behaviour of the whole network. 

Lemma 3.10 Let {S,P) be a non- deterministic functional process comput- 
ing F, where S = I UO. For all t & P computing f & F, and u C t: 

i^Siu) C fii^fin)). 

Proof. Suppose firstly that u is compact. Either u = t, in which case 
the conclusion follows directly from the first condition for t € P, or by 
incrementality of Ts, for some compact v, [u, v] C t. Applying the second 
condition for t E P, 

The general result follows from this special case, since 

^Sw= U ^owc u f{i^f{v)) = f{i^f{u)). I 

veK{u) veK{u) 

Lemma 3.11 Let {{Sj,Pj)}j^j be a non- deterministic functional network 
computing Fj at each j G J, where Sj = Ij U Oj. Let {S,P) =||jej {Sj,Pj). 
Then for all t EiTs-' 

teP ^ yj€J.3fjeFj. 

. [u,v]^t 4.{v) ^ fj{uf.{u) (2) 



17 



Proof. We shall write tj = /of .(t) for t G Ts- By definition of network 
composition, 

t£P ^ yj £ J. tj E Pj 

^ yjGJ.BfjeFj. 

• 4(t) = /}(z^J(t,)) (10 

. [uj,v,]m, ^ (2') 

Now it suffices to show that for all t £ Ts, j S J, fj € Fj: (1) <;=^ 
(l') and (2) (2')- The equivalence of (1) and (1') follows from the 

functoriality of p. To show that (2') implies (2), we use the fact that p 
weakly preserves covers. Suppose [u,v] Q t. If uj = vj, we can apply 
Lemma 13.101 to get (2); if Uj -< vj, we can apply (2')- Finally, we show that 
(2) implies (2'). Suppose C tj. Since p lifts covers, for some u,v £ Ts, 

pI^{u)=u',pI^{v) = v', k [u,v] nt. 

We can now apply (2) to get (2'), as required. I 

As an immediate Corollary of Lemma 13.111 we obtain: 

Proposition 3.12 With notation as in Lemma \3.11\ 

. ps{t) = Gf{f,s{t)) (1) 
. [u,v]nt ^ fis{v)QGf{fis{u)) (2) 

Proof of Theorem 13.91 With notation as in Lemma 13.111 suppose 
t £ P. Applying Proposition 13.121 (1), for some / G Ylji^jFj, f^s{t) = 
Gf{iJLs{t)), whence lfp(G/) □ ps{t)- To show that ps{t) E IfplG/), let (t^) 
be a covering sequence for t, which must exist by incrementality of Ts', we 
show by induction on k that: 

ykeu;.{psitk)QG')i±)). 

The base case follows from the strictness of ps- For the inductive step, 

ps{tk+i) E Gf{ps{tk)) Proposition [3I2] (2) 

C G f{Gh{l.)) by induction hypothesis. I 
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3.3 Liveness 

Consider an algebraic domain D, and a chain of compact elements C = {hj.) 
in with \_\hk = d. We can consider C as a (partial) specification of a 
particular way of computing d, which induces a causality relation on compact 
approximations of d, as follows. Define || • \\c '■ K{d) ^ w by 

||6||c = min{A: \bQbk}. 

Now we can define: 

h <c c 4^ ||6||c < \\c\\c, 

for 6,c € K{d). 

Now let t be a trace in Ts, with /is'(t) = d G V^. We can define a relation 
<t on which reflects the causal constraints on how d can be realized 

introduced by t: 

b <t c <^=4> for every covering sequence (t^) for t : 

min{/c I b □ p,s{tk)} < min{A; | c □ ^5(tA,.)}. 

Definition 3.13 Let A4 = (T, V,/i) be an incremental model in which each 
value domain Vs is uj-algebraic. M. is causally expressive if for every sort 
S, d (z Vs, and chain of compact elements C = (6^) with |J 6^ = d, there 
exists t ^Ts such that: 

• ^s(i) = d 

• <t 5 <C- 

Proposition 3.14 M.f> and A^l oltc causally expressive. 

Proof. Since AIl is a sub-model of TMp, it suffices to prove causal ex- 
pressiveness for TWl- Suppose then that a compact chain C = (bn) in £s 
is given, with \_\bn = d. Since £s is incremental, C can be refined into a 
covering sequence C"; clearly <c' 5 <c- Now let t be the trace in hSs 
corresponding to C under the isomorphism of Proposition 13.41 We note the 
general fact that for any algebraic cpo D, and covering sequence (cn) in D, 
there is a unique covering sequence for (c„) in C{D); a consequence of this 
is that C{C{D)) = C{D). If follows that <t = <c' 5 <C) as required. I 

We shall need a technical lemma about fixpoints in w-algebraic cpo's. 
This was conjectured by the author, and proved under the hypothesis that 
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the domain is SFP. The ingenious proof of the general result is due to Achim 
Jung (personal communication) ; it is reproduced here with his kind permis- 
sion. 

Lemma 3.15 (Jung) Let D be an u-algebraic cpo, and f : D ^ D a 
continuous function. There exists a chain (bn) of compact elements in D 
such that: 

1. bo = ± 

2. Vn. bn+l E f{bn) 

3. |J^'n = lfp(/). 

Proof. For each /"(-L) we choose a chain of compact elements (c"J with 
least upper bound /"(_L). By taking a diagonal sequence we find a chain 
{cn) with the property cj^, C c„ C /"(-L) for all n', m! ^ n. The least upper 
bound of this chain is equal to lfp(/). Let C„ = fcn- 

We shall define the required sequence (6„) inductively, to satisfy the 
following properties: 

1- bn E fibn-i), 1 

2. 6„ C r(±), n ^ 

For n = 2k, the last property implies in particular that 6„ G C^, and together 
with (2) this ensures that the limit of the 6„ is the least fixed point of /. 
Let 6o = -L- Then (2) is obviously satisfied, and (3) evaluates to 

Oo = /°(Co) = Co = tco = U = ^, 

and is satisfied too. 

Given • • • > we find bn+i as follows. First note that bn C /(6„_i) C 
f{hn) by (1) (for n = this is trivially satisfied); and that /(6„) C /"+^(±) 
by (2). We shall select bn+i below /(6„) and above 6„, so (1) and (2) will 
be satisfied. As for (3), we calculate: 

6n e On ^ f{hn) G /(On) 
C n f-n+2m+l('/7 \ 

= n2^2m+2^n+2 / " (C'n+l-{m+l) ) 

nf— n— l+2m'/'/^ \ 
2^2m'^n+2./ (,<-^n+l-m'; 

— n2^2m'^n+l / " (On+l-m')- 
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Note that /""''^(-L) is contained in C^+i, so we have 
which tells us that /"""i(C„+i) = D. So 

Since On+i is Scott-open, it contains a compact element below f{bn); let 
be such an element above 6„. I 

Theorem 3.16 If M. is causally expressive, it satisfies (GKP;). 

Proof. We adopt the same notation as in Lemma 13.111 Suppose / G 
Ylj^jFj- We must show that for some t € P, fisit) = ^^p{Gf). We apply 
Lemma 13.151 to obtain a chain of compact elements C = (bk) with U 6^ = 
lfp(G/), bo = _L, and bk+i Q Gf{bk) for all k. Since A4 is causally expressive, 
for some t £ Ts, l^s{t) = U ^fe = IfplG/), and <t 5 <c- It remains to show 
that t G P. By Proposition 13.121 it suffices to show that for all [u, v] Q t, 
l^siv) C Gf^fisiu)), which in turn is equivalent to: 

ybeK{Vs).ibQfis{v) bQGfifisin))). 

Suppose then that b C fJ-si^) Q ^s(i) = Ifp(Gj). Since b is compact, b Q b^ 
for some k. If 6 = _L we are done; otherwise, for some k, b Q fefc+i, b ^ bk- 
This implies b^. <c b, and hence 6^ <t b. By incrementality of Ts, we can 
find a covering sequence (tk) for t with u = tn, v = tn+i for some n. But 
since b Q fJ-siv) and b^ <t 6, this implies b^ Q fJ-siu), and hence 

bQbk+iQGfibk)^Gfi^isiu)), 

as required. I 

As an immediate Corollary of Propositions 13.81 and 13.141 and Theo- 
rems 13.91 and I3.16| we obtain: 

Theorem 3.17 Mf and Ml satisfy (GKP). 

4 Concluding Remarks 

The results in this paper are of a preliminary nature. Even within the 
asynchronous network model, there are a number of interesting topics for 
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further investigation. These include the characterisation of models in terms 
of properties of extensionality and expressive completeness; and connections 
with full abstraction. Also, it would be of interest to specify a uniform 
operational semantics for our general class of models ^Ap, and to prove 
some correspondence results. A good basis for this should be given by 
|Cur86| . It would also be interesting to formulate a notion of continuous 
{e.g. probabilistic) computation in a network, replacing algebraic domains 
by continuous ones. Much of the theory developed here should generalize; 
note in particular that Lemma [3.15l is valid for w-continuous cpo's, replacing 
"compact" by "relatively compact". Beyond asynchronous networks, we 
would like to give a general notion of model in categorical terms, which 
would subsume a wide range of concurrency formalisms, including process 
algebras and Petri nets, as well as dataflow. The ideas of |Win88| should be 
relevant here. 
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